Security expert: Hackers could upload code to Healthcare.gov to take control of users’ computers

posted at 11:21 am on January 16, 2014 by Allahpundit

If you believe the various security professionals who spoke to Reuters, and why wouldn’t you, HHS has done next to nothing to plug the 20+ security holes they’ve been warned about since October. Including one, allegedly, that would let hackers remotely access people’s computers by uploading some sort of worm to the server.

I honestly don’t know what to believe. There’s no reason to doubt the security pros and every reason in the world to doubt that HHS equipped the site with sturdy security before rolling it out. We don’t even have to draw an inference from the overall half-assed execution of Healthcare.gov as of October 1st; remember, HHS’s own security people were waving red flags before launch day. And yet, despite endless stories about the site’s vulnerabilities and high-profile testimony by security experts before Congress in November about just how bad things are, there have been no major breaches to date.

That we know of.

Hackers could steal personal information, modify data or attack the personal computers of the website’s users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee…

Kennedy said he last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed videos of potential attack methods as well as logs and other documentation…

“The site is fundamentally flawed in ways that make it dangerous to people who use it,” said Kevin Johnson, one of the experts who reviewed Kennedy’s findings.

Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.

“You can take control of their computers,” said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world’s biggest organization that trains and certifies cyber security professionals…

“We don’t know how bad it is because they don’t have to tell us,” Strand said.

A contractor who’s worked with HHS counters that you can’t know how vulnerable the site is unless you’ve hacked into it, which Kennedy et al. haven’t done. Kennedy did, however, write a short bit of code to see if he could harvest any personal information about users from the site. He collected 70,000 names and e-mail addresses in … four minutes. (He didn’t hack Healthcare.gov, he claims; the information was accessible on the Internet somehow and his code accessed it.) So how do we reconcile all of this? Three possibilities. One: The security pros are simply wrong. Why they would all be wrong, though, I have no idea. Clearly the site appears to the trained eye to be susceptible to major hacking, even though there’s no hard proof. I suppose that, in the mad rush in November to patch its problems, HHS closed the security holes without cleaning up all of the code, leaving it looking somehow like the site is vulnerable when it really isn’t. Anyone buy that? Me neither.

Two: The security pros are right but hackers, for whatever reason, have laid off Healthcare.gov. Maybe it’s because they don’t want to mess with the feds on a matter so visible, knowing that a highly public hack of the government’s new health-care showpiece would bring down the wrath of the DOJ upon them. Or maybe they’re just too kind-hearted to mess with a site that’s all about helping people get medical coverage. Hackers take legal risks all the time, though. And if anything, the public prominence of Healthcare.gov just makes it a juicier (and conveniently low-hanging) fruit to pick, I’d imagine. Even if most hackers are inclined to lay off, the basic dynamics of bad apples and bunches suggest that there’s at least one person out there who couldn’t resist screwing with it.

Three: The site’s been hacked and we just don’t know about it. The feds are keeping that info verrrry close to the vest, knowing that the last thing the big O-Care rollout needs after the big “it’s fixed!” publicity for Healthcare.gov in December is news of a massive security breach. They need people to keep enrolling to get anywhere close to their target by March 31st. A scare story about vulnerabilities being exploited to steal people’s data would bring things to a screeching halt, maybe even to the point of congressional Democrats peeling off lest they take any more political uppercuts from O-Care. But if that’s what happened here, where’s the evidence? There couldn’t be a huge hack of a site like this without someone, either on the inside or outside, finding out about it and leaking it, right? The hacker himself might brag about it somewhere online, unable to resist showing off his trophy. And yet, as far as I know, nothing like that has happened. No one’s offered any evidence of a wide-scale malicious security breach.

Just as I’m writing this, I see the AP has a story on the wires about one of the CMS officials who waved a red flag before launch now pronouncing the site safe. Apparently, it passed a security test just recently — and yet here’s Kennedy and crew telling Reuters it’s a disaster. What’s going on here?

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Comments

I will not comply because I am a free citizen of the United States, not a subject of its government. I consider non-compliance with this monstrosity and the tens of thousands of pages of regulations that are to be enforced by an unelected bureaucracy, and that have left a gigantic carbon footprint on our environment and the United States Constitution, a duty.
Non-compliance is my executive order, and that order reads in part that I do not recognize any government’s claim on my action or inaction in the marketplace, nor upon any personal information I am unwilling to divulge.

Just as I’m writing this, I see the AP has a story on the wires about one of the CMS officials who waved a red flag before launch now pronouncing the site safe. Apparently, it passed a security test just recently — and yet here’s Kennedy and crew telling Reuters it’s a disaster. What’s going on here?

By all means, let’s have a thorough public discussion of the weaknesses of the website’s security. It can save hackers oodles of time!

That being said, CMS officials also declared the website fully functional in October. They have a record of lying.

Of COURSE the site’s been hacked! The answer to Allah’s question is that the hackers have laid it bare to the bone, and are keeping quiet because 1) why speak up and get the hole fixed? 2) Think of how many millions of people’s data is still flowing in that is still flowing to the hacker–why not just sit back and harvest?
And most likely 3) one of the hackers is the Democratic party itself. Probably not really a hacker, they are just getting the data illegally. If the gubmint revealed it, though, the party would be in danger, so mum’s the word.

Look. You’re not a person to have a serious political debate with. Your mind seems a bit fractured in the extremes you vacillate in between. In one comment, you lose control and say the most insulting things …

Let’s at least be adult and move this ridiculous exchange off a thread like this.

hawkdriver on January 16, 2014 at 9:51 AM
Sure thing. Check out that link I posted in my post above this one.

gryphon202 on January 16, 2014 at 9:55 AM

I’d never advocate banning anyone who is simply expressing their opinion. You have more lofty goals than that with your “contributions” here. You obviously think you can drive Conservative voters completely away from the GOP. It’s what you do. I’d just advice folks to take 100 percent of anything you say with a grain of salt. That would include the out of the blue responses you give that are rife with profanity and insults.

ok, just spitballing here, but what if part of the overall plan was the reverse- to get as many citizens to log directly onto a gubmint server and then said server uploads a worm to unsuspecting but compliant joe citizen… stuxnet anyone?

I honestly don’t know what to believe. There’s no reason to doubt the security pros and every reason in the world to doubt that HHS equipped the site with sturdy security before rolling it out.

Allah,

Among the services I provide my clients is security audits, including penetration testing. If Johnson made those quoted remarks, the situation is, in reality, worse. If black hats can get in, they probably have gotten in.

I am not just referring to local black hats. We are engaged in cyber warfare with other countries. Don’t you think they would salivate over the intel they could collect?

By the way, I read yesterday that a new company has been awarded another no bid contract for the ZeroCare™ website development.

How can the Government initiate non-compliance charges to a site that is known to have such security problems?
Just wait for the first IRS enforcement action to wind up in court. This will be the action to shut down PPACA..
Stay away from this site. It is very dangerous. You can still get insurance else where it is only a government setup.

A contractor who’s worked with HHS counters that you can’t know how vulnerable the site is unless you’ve hacked into it,

Some claims are almost too silly to be quoted, let alone pass without contest: The extent of insecurity is always unproven until exploited, which does not mean we leave our doors unlocked and open to see how much trouble that could cause.

Unlike many measurable things in society, if we can measure security failure, security has already broken down at our expense. What we want to know is whether security can be broken, even if that would take extraordinary effort. Extrapolating from known attacks may be the best we can hope for.

Even a major effort at finding weakness would not prove strength by not succeeding.

If you’re taking votes I pick this one. Since day one this entire regime has been built on a foundation of lies and opacity. Plus even though all authoritarians want to control the masses, deep down they do fear the masses as well. I think for the average IT criminal the healthcare site is a smorgasbord of information with which to cause major inconvenience to a lot of innocent people.

If you believe the various security professionals who spoke to Reuters, and why wouldn’t you, HHS has done next to nothing to plug the 20+ security holes they’ve been warned about since October. Including one, allegedly, that would let hackers remotely access people’s computers by uploading some sort of worm to the server.

I honestly don’t know what to believe. There’s no reason to doubt the security pros and every reason in the world to doubt that HHS equipped the site with sturdy security before rolling it out. We don’t even have to draw an inference from the overall half-assed execution of Healthcare.gov as of October 1st; remember, HHS’s own security people were waving red flags before launch day. And yet, despite endless stories about the site’s vulnerabilities and high-profile testimony by security experts before Congress in November about just how bad things are, there have been no major breaches to date.

That we know of.

Is the security problem highly visible?

No.

Therefore, with all the embarrassing and highly visible problems that web site has, it would be foolish to expect it to be fixed any sooner than 1 year from now — with the transition to a new company maintaining the web site, probably more like 2 years.

China owns a significant amount of our nation’s debt…and they are also creidted with an enormous amount of the hacking in government, military, & commercial/civilian computers, with stealing enormous amounts of government & commercial secrets, of stealing an incredible amount of patents/ignoring patents & copying a massive amount of technology/products…making an enormous amount of money from doing so….

So why don’t we just declare to China, since you have illegally done all of this, refuse to stop, and will continue to do so…

The HHS guy is right; the only way to determine how vulnerable a site is to hacking is to hack it. That’s why most sites go through some sort of penetration tests. The tests do exactly that. They attempt to identify vulnerabilities, and they then try to exploit those vulnerabilities.

If the suspected vulnerabilities can be exploited, the test passes and your site fails. If the suspected vulnerabilities cannot be exploited, it wasn’t a vulnerability. It’s that simply.

You simply can’t identify how vulnerable a site is without hacking it.

This is going to make the Target hacking look like a day at the beach. Here, the hackers get social security numbers, not to mention medical history, which could be used in all manner of nefarious ways. Makes paying the fines a lot more appealing than it was.

The professional hackers, the ones who do the most harm, work hard to hack a system without being spotted. They sit there draining off bits of information over an extended period of time without the victim ever knowing.

If the site is as poorly designed as some say, and security wasn’t designed into the system right from the start, it may be impossible to know with much certainty if the site’s been hacked or not.

DAVID KENNEDY: Healthcare.gov is not secure today. And nothing’s really changed since the November 19th testimony. In fact, from November 19th testimony it’s even worse. Additional security researchers have come into play, providing additional research, additional findings, that we can definitely tell that the website is not getting any better.

Not exactly. They took the contract from CGI and just handed it over to a different company. The developers may be retained. It would be unwise to ditch them until they can be debriefed. No one at CGI has been fired that we know of.

700 million down the drain and counting. I wonder what the value of millions of hacked PCs is. This disaster is just getting started.

It’s better to rob the bank when the vaults full rather than empty. Of course the hackers are waiting until it’s worth their time. But since Obamacare is for the lower income isn’t hacking it like hacking the welfare rolls? You are not going to get rich quick that way.

To put it another way, what they’re saying is like someone telling you that could walk into your house and steal your things. Why could they walk into your house and steal your things? Because you have a door that could be unlocked. That door could be a vulnerability.

The only way way to confirm if that door is a vulnerability is to walk up to it and jiggle the handle.

Not exactly. They took the contract from CGI and just handed it over to a different company. The developers may be retained. It would be unwise to ditch them until they can be debriefed. No one at CGI has been fired that we know of.

700 million down the drain and counting. I wonder what the value of millions of hacked PCs is. This disaster is just getting started.

dogsoldier on January 16, 2014 at 1:02 PM

How is that not firing the development team? If you contract a company to do your roof, and then hand that contract to a different company to do your roof, you’ve fired the first company.

What debriefing? This isn’t spec ops. It’s software development. When you fire a developer(or a team of developers), that’s it. You hope that the documentation they created is enough.

I’ve worked in software development for almost 30 years. Removing CGI is not firing the development team unless they all got laid off and weren’t picked up by the new company. Transfer of engineers from one company to another often happens and may not even require them to leave their cubes.

You haven’t worked in high tech much have you? Pretty much everything you wrote is not correct. Even if they planned to lay off all the developers, they would still spend time with the new team transferring information.

I’ve worked in software development for almost 30 years. Removing CGI is not firing the development team unless they all got laid off and weren’t picked up by the new company. Transfer of engineers from one company to another often happens and may not even require them to leave their cubes.

You haven’t worked in high tech much have you? Pretty much everything you wrote is not correct. Even if they planned to lay off all the developers, they would still spend time with the new team transferring information.

We have seen no reports that CGI is firing anyone.

dogsoldier on January 16, 2014 at 1:11 PM

That’s a pretty liberal definition of having a job. You have a cube, but you don’t have any work to do and you’re not getting paid because you don’t have a contract.

Hey construction worker, you’re not fired. We’re just not paying you anymore. See you on Monday!

It’s been hacked. The reason we haven’t heard about it from the inside is the lying administration covering it up; the reason we haven’t heard about it from the outside is that the handful of poor, sick people that have been swept up to date isn’t anything to brag about.

Yes, some of them. I can visually examine the environment and see some obvious things. For example a login screen not using SSL.

That’s the doors without locks analogy I mentioned earlier.

dogsoldier on January 16, 2014 at 2:04 PM

That’s actual a great example, because if you were to do a visual test, you’d be completely rusting the browser, which is actually doing the test. The only way to do that test with certainty would be to test the traffic to and from the server to see if its encrypted.

In other words, I could hack your browser to show the SSL lock or to show https in the address bar, even though the traffic is being sent in clear text. Another simpler way would be to add an iframe on a ssl page that points to non-ssl traffic.

As an IT professional, you know im right about this. Hacking is successful often times because things look secure but arent. The inverse is also true. The only way to know is to test.

No, that is incorrect. Lets focus on just the absence of SSL first, to avoid confusion. Obviously a problem. So yes, one can see obvious problems without testing.

One doesn’t assume a site is secure by virtue of indicators in or on a browser.

One can examine the network and observe there no firewall in the rack. Obviously, a problem. One can look at the server to see if anti mal-ware and anti virus software is installed and running correctly.

That’s the “inspection” part of a security audit, which consists of a long list of items to check. Testing in its various forms is another part of the audit.

Good points, and perhaps exposing the vulnerabilities wouldn’t necessarily dry up the flow of intel right away, since they don’t seem able to secure it.

I find myself wondering if hackers could use the open door of the HealthCare.gov site to get deeper access to the government’s networks. This situation is probably much worse than we know.

If I’m hacking the site, all yours data is belong to me. Yeah ok, good stuff, but what I want is the real meat and potatoes. Can I get into the servers in the White house, Pentagon, or the NSA from there? Oh baby, I could sure have some fun with that stuff.

You can have a iframe that points to an ssl page. That iframe can reside on a page that isnt ssl. If that iframe contains the log in boxes, that log in information is being encrypted. The only way to confirm that would be to inspect the network traffic.

Visual tests arent even part of a pen test. If you’re charging you’re customers for that, you are seriously defrauding them. That’s pretty unethical.

I cant see how you can defend people who are saying that they can upload code through the website to a users computer, but havent tried it. Are you really putting politics in front of your professional integrity?

Time to change yout username. The one you’re currently using has been exposed as a fraud. Maybe you can be in the military next or a biologist or some third thing you read something about on Wikipedia.

- That the site is hackable
- That the site has been hacked
- That they know the site has been hacked
- That they tell us the site has been hacked

It’s not surprising that the last and least likely of these hasn’t (yet) occurred, but that doesn’t mean that ones before it haven’t.

Remember, most security breaks don’t get revealed to the public the way the Target one was. And HHS has every reason to hide any that occur in this case, even more so than credit card companies and retailers do.

No one’s offered any evidence of a wide-scale malicious security breach.

Not yet, but if the site has been hacked, and it eventually becomes public knowledge, will Obama/HHS attempt to use Issa/Republicans as the cause? Cummings is already claiming a “lack of policy on securing sensitive information in committee’s possession” and “lack of information about outside individuals given access to sensitive information”. And the administration did of course tell Issa he could not have physical copies of the MITRE documents saying that because of Issa’s history of selective leaks to the media, he can’t be trusted with the materials. Since Issa needed to use subpoena power, the administration says it’s concerned about the MITRE documents leaking because they “include software code and other technical information that is highly sensitive” and could give hackers “a roadmap to compromise the security of the website and the personal information of American citizens.”